STIGQter: STIG Summary: IBM z/OS ACF2 Security Technical Implementation Guide Version: 8 Release: 2 Benchmark Date: 23 Apr 2021:

IBM z/OS IEASYMUP resource must be protected in accordance with proper security requirements.

DISA Rule

SV-223457r533198_rule

Vulnerability Number

V-223457

Group Title

SRG-OS-000324-GPOS-00125

Rule Version

ACF2-ES-000370

Severity

CAT II

CCI(s)

• CCI-002235 - The information system prevents non-privileged users from executing privileged functions to include disabling, circumventing, or altering implemented security safeguards/countermeasures.

Weight

10

Fix Recommendation

Configure the System level symbolic resources to be defined to the FACILITY resource class and protected. UPDATE access to the System level symbolic resources are limited to System Programmers, DASD Administrators, and/or Tape Library personnel. All access is logged. Ensure the guidelines for the resources and/or generic equivalent are followed.

Limit access to the IEASYMUP resources to the above personnel with LOG and SERVICE(UPDATE) and/or greater access.

The following commands are provided as a sample for implementing resource controls:

$KEY(IEASYMUP) TYPE(FAC)
- UID(<dasd>) SERVICE(UPDATE) LOG
- UID(<sysprgmr>) SERVICE(UPDATE) LOG
- UID(<tape librarian>) SERVICE(UPDATE) LOG
- UID(*) PREVENT

SET R(FAC)
COMPILE 'ACF2.FAC(IEASYMUP)' STORE

F ACF2,REBUILD(FAC)

Check Contents

From the ACF Command screen enter:
SET RESOURCE(FAC)
LIST IEASYMUP

If the accesses for IEASYMUP resources and/or generic equivalent are properly restricted, this is not a finding.

The ACF2 resources are defined with a default access of PREVENT.
The ACF2 resource access authorizations state that SERVICE(UPDATE) and/or greater access to DASD administrators, Tape Library personnel, and system programming personnel.
The ACF2 resource logging requirements are specified.

Vulnerability Number

V-223457

Documentable

False

Rule Version

ACF2-ES-000370

Severity Override Guidance

From the ACF Command screen enter:
SET RESOURCE(FAC)
LIST IEASYMUP

If the accesses for IEASYMUP resources and/or generic equivalent are properly restricted, this is not a finding.

The ACF2 resources are defined with a default access of PREVENT.
The ACF2 resource access authorizations state that SERVICE(UPDATE) and/or greater access to DASD administrators, Tape Library personnel, and system programming personnel.
The ACF2 resource logging requirements are specified.

Check Content Reference

M

Target Key

4100

Comments